As a software engineer, I find this remark from Paul Rosenzweig at Lawfare incredibly dispiriting:
A case in point is this report from The Register. Readers may recall that a month ago, reports surfaced of a theft of more than $81 million from the Bangladeshi central bank. And it seems that but for a small error, the theives might have gotten away with more than $1 billion. The attack itself came in through the SWIFT system — the Society for Worldwide Interbank Financial Telecommuncation, headquartered in Belgium. We were assured, however, that there were no vulnerabilities in the SWIFT system itself. According to SWIFT the hack must have started in the local banks.
Perhaps so. But today we learn that SWIFT itself has failed to take even the most basic security steps to protect its network. Two-factor authentication is the simple system where when you log in, you use a password but then you also have to present a second factor to authenticate yourself. Usually this is some sort of random pin. Or it can be an approval from your mobile device. Everyone uses it these days — its how we log in to Google mail and its also how we log in to post on Lawfare.
Apparently, however, SWIFT was not so swift. Only now, after the Bangladeshi attack (and others on banks in the Phillipines and Vietnam) will the bank move to expand its use of two-factor authentication.
Viscerally, I just want to get rid of them. Yes, take your pick between SWIFT and computers. Getting rid of either would take care of the problem.
Surely SWIFT had availed itself of the services of any of a number of a security-focused corporations? This sounds like the sort of thing where someone is very publicly fired.